Page 650 - COSO Guidance

P. 650

Appendices

Appendix V: Example responsible, accountable, consulted, informed (RACI) matrix

The following is an example of a RACI matrix highlighting some common roles within an organization and their
involvement throughout the ERM process.

ERM Board and Executive ERM Director or Risk owners Sustainability
components sub-committee committee CRO (includes practitioners
sustainability for
ESG-specific risks)
Governance and Accountable for Responsible Responsible for Informed of the ERM Informed of the
Culture setting the tone for design and design and process to support governance model and
for governance, facilitation of the facilitation of the management of ESG process to support
culture and risk end-to-end ERM end-to-end ERM issues management of ESG issues
appetite process process and lifecycle
Strategy and Consulted and Accountable for Responsible for Consulted on the Consulted on the internal
Objective-Setting made aware of setting the facilitating the internal and external and external changes and
significant changes business strategy, process for changes to identify ESG-related impacts and
to the internal objectives and risk examining the shifts that may result dependencies
and external appetite business context and in risks
environment strategy
Identify Accountable for Responsible for Responsible for Consult with risk owners to
risks that identifying and facilitating the supporting risk support identification and
will impact disclosing the process for identification and understanding of
the business material risks that identifying understanding ESG-related risks
strategy and will impact the business impacts
objectives Consulted business strategy Responsible for Responsible for Consult with risk owners on
Performance prioritize the and made assessing and leveraging tools for assessing the risk the tools and knowledge to
Accountable for
Assess and
aware of the
prioritizing
severity of
risk assessment and
support quantification and
severity on the
critical risks
prioritization
key risks and
identified
prioritization of
business and strategy
impacting the
ESG-related risks
opportunities
risks
approve
Develop and strategy and Accountable for Responsible for Responsible for Consult with risk
selected risk
implement responses appropriate coordinating the developing appropriate owners to develop
responses to allocation of development of risk responses to address responses to
prioritized resources to responses for each the risk and implement prioritized risks
risks manage risk area the response
prioritized risks
Review and Consulted on the Accountable for Responsible for Responsible for Consulted on appropriate
Revision status of risks and monitoring the developing a developing metrics to metrics for monitoring
the ERM process ERM activities consolidated view monitor risks and ESG-related risks and
and ensuring of metrics to business context for determine aspects to report
risks stay within monitor risks when the risk shifts on to internal and external
the company risk outside tolerance stakeholders
appetite levels
Information, Consulted on ERM Accountable for Responsible for Responsible for Consulted on the inputs
Communication activities and communications developing internal providing inputs for for internal and external
and Reporting processes of ERM activities and external internal and external communications on
disclosed and processes communications on communications on ESG-related aspects of ERM
externally internally and ERM activities and ERM activities and activities and processes
externally processes processes

Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018 103

645 646 647 648 649 650 651 652 653 654 655